The Australian government is looking to update its national cybersecurity strategy by 2020. In preparation, it's released a discussion paper that seeks input from citizens, the business community, academics and other stakeholders.

Peter Dutton, Australia's minister of home affairs who's leading this effort, notes in the paper that the country's new cybersecurity strategy will focus on improving the nation's capabilities and helping the nation cope with the evolving security landscape, which includes threats from cybercriminals as well as nation-states bent on cyberespionage.

Dutton notes that over the last three years, incidents such as the WannaCry ransomware attacks of 2017 as well as intrusions such as CloudHopper, where nation-state hacking groups infiltrated the networks of several cloud service providers, have increased the threats to Australia (see: Cloud Hopper: Major Cloud Services Victims Named).

"Despite making strong progress against the goals set in 2016, the threat environment has changed significantly, and we need to adapt our approach to improve the security of business and the community," Dutton notes.

Since Australia introduced its first cybersecurity strategy in 2016, Dutton notes, the government over the last three years had invested $230 million Australian ($158 million U.S.) in various improvements and updates to the country's infrastructure and security strategies, which includes 33 projects. But the paper notes that cyber incidents are costing Australian businesses some $29 billion Australian ($20 billion U.S.) each year and affecting nearly one in three Australian citizens.

"Cybercriminals are more abundant and better resourced, state actors have become more sophisticated and emboldened and more
of our economy is connecting online," Dutton says in making the case for improvements in the nation's cybersecurity plan.

Areas of Improvement

The new strategy will build on Australia's 2016 Cyber Security Strategy. As part of its public outreach, the paper poses 26 questions seeking insights that can be submitted until Nov. 1.

The key areas of focus for the upcoming policy framework include determining the Australian government's role in tackling various cyberthreats, pushing for innovation and security practices at the enterprise level, building a requisite talent pool for managing cyberthreats, and building public awareness about phishing campaigns and other threats, according to the discussion paper.

"Australia must position itself as a world leader in cyber threat detection, prevention and response. This means government and industry will need to work closer together than ever before," Dutton notes.

Shared Responsibility

While stating that cybersecurity is a shared responsibility among the government and public, the paper stresses the need to balance responsibilities among the stakeholders.

The paper notes that the country's laws governing cybercrimes limit the government's role in protecting computer devices and leave the end user, such as as individual citizens and small businesses, prone to more cyberthreats.

In the case of BlueKeep - a vulnerability in older versions of Microsoft Windows that governments around the world have urged businesses to patch - the Australian Cyber Security Center estimates that there are nearly 50,000 vulnerable machines in the country. Due to legal restrictions that prohibit the government from identifying these vulnerable system and taking remedial action, however, the paper notes that the extent of the vulnerability still remains unknown.

"At the moment, government is relying on vulnerable organizations to respond to public warnings from the Australian Cyber Security Center," the paper notes. "Past experience, such as the WannaCry incident, show us that not everyone responds to these warnings and that this could have serious consequences at a national scale."

As a result, the paper pushes for recommendations on identifying important cyberthreats, revamping cyber regulations and assessing the role of the government and private industry should play in promoting cybersecurity throughout Australia.

Comprehensive Strategy

While the 2016 cybersecurity strategy led to the formation of several agencies, such as the Australian Cyber Security Center and Joint CyberSecurity Centers, some Australian cybersecurity experts say that the policy failed to address key challenges, such as the nationwide cybersecurity skills shortage.

Australia will have to train at least 18,000 cybersecurity professionals by 2026 in order to effectively fight icybercrime, according to a recent report from the Australian Financial Review.

"We still have a big skills shortage; the strategy probably had too many focus areas, and we need to do much more to defend critical infrastructure," Fergus Hanson an analyst with the Australian Strategic Policy Institute, tells Information Security Media Group. "While we have made attributions of some cyberattacks, we still haven't taken the next step of imposing costs. So there is still no real deterrent."

In a blog describing more suggestions, Hanson suggests that when the government awards contracts to vendors, it should insist these companies follow standard cybersecurity practices.

"There are several ways the government could do this. It could, for example, mandate minimum cybersecurity standards in its tender when purchasing new hardware and software for the public service," Hanson adds.

He also proposes that the government make the reporting of data breaches mandatory. And he argues that elected officials need to do more to protect the personal data and information of citizens.

"One argument commonly used against compulsory disclosure is that notification laws could perversely discourage companies from searching for breaches," Hanson notes. "But that's the situation that exists already - compromises are rife, security is poor and it's past time for overlapping direct measures that ensure all organizations take security seriously."

About the Author

Asokan is senior correspondent for Information Security Media Group's global news desk. She has previously worked at Analytics India Magazine, The New Indian Express and IDG, where she reported on developments in technology and education.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;